One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601322 |
| Date de publication | 2024-10-22 15:57:30 (vue: 2024-10-22 16:11:41) |
| Titre | Over 6,000 WordPress hacked to install plugins pushing infostealers |
| Texte | ## Instantané [GODADDY] (https://www.godaddy.com/resources/news/thereat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials) Les chercheurs en sécurité ont identifié plus de 6 000 sites WordPress compromis par les nouveauxVariante de [clickfix] (https://security.microsoft.com/intel-explorer/articles/6d79c4e3) malware, également connu sous le nom de [clearfake] (https://security.microsoft.com/intel-explorer/articles/c75089e9), qui est distribué via de faux plugins WordPress. ## Description Certains des noms de sites WordPress compromis imitent les plugins légitimes.[Bleeping Computer] (https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-hacked-to-install-plugins-pushing-infostealers/) fournit une liste des plugins malveillants qui ont été vusEntre juin et septembre 2024. Ces faux plugins contiennent des scripts qui injectent un javascript malveillant dans le HTML du site \\, qui tente ensuite de charger un autre javascript malveillant à partir d'un contrat intelligent Binance Smart Chain (BSC), affichant finalement les fausses mises à jour et erreurmessages utilisés pour distribuer [volet d'informations] (https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) malware.Les chercheurs de GoDaddy ont trouvé un modèleDans le nom de fichier JavaScript composé de la première lettre de chaque mot du nom du plugin, annexé avec «-script.js».Le contenu des métadonnées du plugin est faux, pour inclure le nom du plugin, l'URL, la description, la version, l'auteur, l'auteur URI, etc. Le plugin et l'auteur URI font fréquemment référence à GitHub, cependant, les référentiels de plugin associés sont inexistants sur GitHub.Les acteurs de la menace devraient utiliser des informations d'administration d'administration volées pour se connecter aux sites WordPress et installer automatiquement les plugins. Bleeping Computer conseille aux administrateurs WordPress de vérifier leurs plugins installés pour toutes les entrées non reconnues et, si des plugins inconnus sont identifiés, pour réinitialiser les mots de passe administratifs. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 000 2024 2024** 365 365/security/defender 365/security/office about accessed accounts acquired actors admin administrators advice: advises against age all also another antivirus any app appended apps are article associated attachments attack attacker attempts authentication authenticator author auto automatically based believed between binance bleeping bleepingcomputer block blocks browser browsers bsc bullet can card chain check classes clearfake click clickfix clicking clipboard cloud code com/azure/active com/deployedge/microsoft com/intel com/microsoft com/news/security/over com/resources/news/threat common compromise: compromised computer configure consisting contain content contents contract copyright cover coverage credential credentials criterion customers defender delete delivered deployment description detections/hunting devices different directory/authentication/concept directory/authentication/how directory/identity displaying distribute distributed distribution due each edge email emails employees enable enabled encourage endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire entries equivalent error etc even evolving example excluded executable execution explorer/articles/6d79c4e3 explorer/articles/c75089e9 fake features fido file files filtering first following found frequently from github godaddy group guidance hacked have hello host hour however html https://learn https://security https://www identified identifies identity impact inbound include including infections information infostealer infostealers infostealers/ inject install installed intelligence intrusions javascript june keys known learndoc learndoc#block learning legitimate letter like links list load locations machine mail majority malicious malware managed many match meet messages metadata methods mfa microsoft mimicking mitigation mitigations mode monitored more name names naming new newly nonexistent not number obfuscated ocid=magicti off offer office organizations other over overview part password passwordless passwords pattern permission personal phantom phishing phones plugin plugins points policies policy polymorphic possible potentially powershell prevalence prevent product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited prompt protection protection/howto protections provides pua purge push pushing pwn queries ransomware rapidly recheck recommendations recommends reduce reduction refer reference references remind remove repositories reproduction require requires researchers reserved reset response rights rules running safe scam script scripts secured security security/defender security/safe security/zero seen self sent september settings should sight sign site sites smart smartscreen snapshot some spam specific spoofed status stealing stolen stop stored strictly succeeded support surface sweeping sync#sync syncing tactic: techniques theft then thereof these threat threatactors threats times tools trojan:win64/clearfake trusted turn typed ultimately unknown unless unrecognized unwanted updates uri uris url use used users uses using variant variants vaults version web websites when where which windows without word wordpress workplace written your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ressemble à 2 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-22 21:29:09 | (Déjà vu) THREAT ANALYSIS: Beast Ransomware (lien direct) | ## Snapshot Researchers at Cybereason Security Services Team have uncovered the workings of the Beast Ransomware-as-a-Service (RaaS), which has been targeting Windows, Linux, and ESXi systems since 2022. Recently, the Beast Ransomware group has promoted a partnership program and new capabilities on underground forums. # ## Description The Beast Ransomware platform offers affiliates numerous options for building ransomware binaries that target Windows, Linux, and ESXi systems, enabling tailored configurations to suit different operational requirements. The latest version of Beast Ransomware specifically avoids encrypting data on devices located in Commonwealth of Independent States (CIS) countries, such as Russia, Belarus, and Moldova. This is achieved through code that checks the system\'s default language settings, country code, and retrieves the target\'s IP address. If the ransomware detects that the device is in a CIS country, it halts encryption activities. Like most ransomware, the initial compromise often occurs through various infection vectors, such as phishing emails, or compromised remote desktop protocol (RDP) endpoints. To prevent multiple instances of Beast running simultaneously on the same system, it creates a unique mutex with the string “BEAST HERE?”. This ensures efficient execution and enables the attacker to maintain control over the ransomware\'s behavior on the infected system. Beast Ransomware also performs SMB scans to automatically search for and infect vulnerable computers on nearby networks. This self-propagation mechanism can quickly spread the payload without requiring any human intervention. The ransomware also exploits the Restart Manager by stopping services and processes in order to unlock and safely close open files before encrypting a file. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) | Ransomware Spam Malware Tool Threat | ★★ | |
|
2024-10-25 20:26:33 | (Déjà vu) Embargo Ransomware: Rock n Rust (lien direct) | #### Targeted Geolocations - United States ## Snapshot Researchers at ESET have identified a new ransomware group named Embargo, which has been targeting US companies since July 2024 with a Rust-based toolkit that includes a loader named MDeployer and an EDR killer called MS4Killer. ## Description Embargo operates as a Ransomware as a Service (RaaS) provider, employing double extortion tactics and publishing stolen data on its leak site. The group\'s toolkit is under active development, with signs of ongoing testing, refinement, and on-the-fly adjustments during intrusions. MDeployer checks for admin privileges and, if present, attempts to reboot the system into Safe Mode to disable security measures. It then disables selected security tools by renaming their directories and executes the Embargo ransomware payload, which performs network share and file directory discovery, encrypts files, and disables automatic Windows recovery. The ransomware drops a note in each encrypted directory and uses a mutex to prevent multiple instances from running. MS4Killer, designed to disable security products, uses a Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting the vulnerable driver probmon.sys to gain kernel-level code execution. It operates in an endless loop, scanning for and terminating security product processes using XOR-encrypted strings for process names. Persistence is typically achieved through a scheduled task, and in some cases, PowerShell scripts are used for delivery. The Embargo group custom compiles MS4Killer to target specific security solutions and has demonstrated the ability to quickly modify and recompile their tools to adapt to different environments. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps | Ransomware Spam Malware Tool Threat | ★★★ |